API & Integrations - IBM QRadar (SIEM v3)

Updated

This article describes the latest version of IBM Qradar V3.0.0 within API & Integrations.

Overview

The Mimecast for QRadar extension allows QRadar administrators to process Mimecast SIEM, Audit, Data Leak Prevention and Targeted Threat Protection event data using IBM QRadar.

Depending on the services subscribed to, the Mimecast security data available to customers includes:

  • SIEM Logs
    • Receipt
    • Process
    • Delivery
    • Internal/Journal
    • Spam Event Thread
    • Impersonation Protect
    • Attachment Protect
    • URL Protect
    • Internal Email Protection
    • AV
  • Audit Logs
  • Data Leak Prevention Logs
  • Targeted Threat Protection
    • Impersonation Protect
    • Attachment Protect
    • URL Protect

Release Notes

v3.0.0

  • Revamped the existing configuration page.

    • Added support for a proxy.

    • Added enable/disable functionality to collect each data separately.

  • Migrated API endpoints from v1 to v2.

  • Removed the Mimecast Region field from the event and added Account Name in every event payload.

  • Added below data collections:

    • Data Leak Prevention.

    • Targeted Threat Protection URL.

    • Targeted Threat Protection Attachment Protect.

From version 3.0.0 the audit event name mc_event audit auth login failed, mc_event audit auth other, mc_event audit auth user logon will not be visible. The audit events will be parsed based on the audit category.

Compatibility

  • IBM QRadar v7.5.0 Update Package 4 and subsequent.

  • IBM QRadar v7.4.3 Fix Pack 8 and subsequent.

Configuring Mimecast

The preparation required in the Mimecast Administration Console involves the following:

  1. Adding the User to an Administrator Role
  2. Application Role Permissions

See the table below for the endpoints, the data collection scripts used, and the associated Mimecast Administrator permissions required. For convenience, all permissions are included in the Basic Administrator role.

Field / Option Description

/api/audit/get-audit-events

Account | Logs | Read

/api/ttp/impersonation/get-logs

Monitoring | Impersonation Protect | Read

/api/ttp/impersonation/get-logs

Monitoring | Attachment Protection | Read

/api/ttp/url/get-logs

Monitoring | URL Protection | Read

/api/dlp/get-logs

Monitoring | Data Leak Prevention | Read

/siem/v1/batch/events/cg

Security Events and Data Retrieval | Threat and Security Events (SIEM)| Read
  1. Navigate to Account | Roles.
  2. Right-click Administration Role (e.g., Basic Administrator).
  3. Select the Add Users to Role menu item.
  4. Browse for the User created in the Creating a User section.
  5. Select the Tick Box to the left of the user.
  6. Click Add Selected Users.

App Installation & Configuration

Upgrade

V3.0.0

To upgrade from v2.x.x to 3.0.0, the user has to uninstall the App and then follow the installation steps to install the 3.0.0 version

Installing Mimecast QRadar

The Mimecast for QRadar extension is available from IBM X-Force Exchange. Once you have
logged on, you should be able to download the extension:

  1. Log on to the IBM QRadar Admin Console.
  2. Click on the Admin tab.
  3. Click on Extension Management.
  4. Click Add.
  5. Click Browse.
  6. Navigate to the location where the Mimecast for QRadar extension has been stored.
  7. Follow the instructions on the screen to proceed with the installation.

Configuring Mimecast for QRadar

After completing the installation, you must complete the configuration to use the functionality of the Mimecast for QRadar.

Mimecast for QRadar collects data from the Mimecast API. For data collection, Client ID and Client Secret are required for the user created in step 2 of the "Configuring the Mimecast Administration Console" section above.

The setup process for configuring the App is as follows:

  1. Find the installed App on the Admin panel under the Apps section.

  2. Click on the Mimecast API Configuration icon.

  3. Configure Mimecast Account by clicking on the Add Mimecast Account button.

  4. The account Configuration page would have fields as below:

    • Mimecast Base URL: Base URL of Mimecast account. Its default value is https://api.services.mimecast.com. After the account is configured this field is not editable.
    • Client ID: Client ID of the Mimecast Platform that will be used to make API calls.
    • Client Secret: Client Secret of the Mimecast Platform that will be used to make API calls.
    • Polling Interval (In Seconds): It is the number of seconds after which the REST API is called during real-time data collection. The default value is 900 seconds, and the maximum value can be set to 3600 seconds. For SIEM data collection, the recommended polling interval is 900 seconds.
    • Event Collector IP/Hostname: Mimecast events will be ingested in the provided Event Collector IP/Hostname. Its value populates with the current console IP address.
    • For Proxy Settings:
      • Enable/Disable proxy: It is a toggle button to enable/disable proxy. Users can select its value depending on their environment.
      • IP/Hostname: IP/Hostname of the proxy server without prefixing HTTP/HTTPS.
      • Port: Port of the proxy server.
      • Require Authentication for proxy: It is a checkbox to enable/disable authentication requirements for proxy. Users can select its value depending on their environment.
      • Username: Username of the Authentication proxy.
      • Password: Password of the Authentication proxy.
  1. After entering all the valid data in the pop-up form, when you click on the Validate & Next button, the configuration for the Mimecast Account will be validated and the Input Configurations pop-up form will open.

  2. Input Configuration page would have fields as below:

    • Enable/Disable Mimecast SIEM: It is a toggle button to enable/disable Mimecast SIEM data collection.
      • Start Time (In UTC): It is used for making API calls to collect SIEM data from Mimecast. Its default value is 3 days ago and the maximum value can be set to 7 days ago.
    • Enable/Disable TTP URL: It is a toggle button to enable/disable TTP URL data collection.
      • Start Time (In UTC): It is used for making API calls to collect TTP URL data from Mimecast. Its default value is 7 days ago and the maximum value can be set to 60 days ago.
      • Logs to Fetch: This field is used to limit the type of logs to be fetched in real-time TTP URL data collection. Its default value is All.
    • Enable/Disable Data Leak Prevention: It is a toggle button to enable/disable Data Leak Prevention data collection
      • Start Time (In UTC): It is used for making API calls to collect Data Leak Prevention data from Mimecast. Its default value is 7 days ago and the maximum value can be set to 60 days ago.
      • Logs to Fetch: This field is used to limit the type of logs to be fetched in real-time Data Leak Prevention data collection. Its default value is All.
    • Enable/Disable Audit: It is a toggle button to enable/disable Audit data collection.
      • Start Time (In UTC): It is used for making API calls to collect Audit data from Mimecast. Its default value is 7 days ago and the maximum value can be set to 60 days ago.
    • Enable/Disable TTP Attachment Protect: It is a toggle button to enable/disable TTP Attachment Protect data collection.
      • Start Time (In UTC): It is used for making API calls to collect TTP Attachment Protect data from Mimecast. Its default value is 7 days ago and the maximum value can be set to 60 days ago.
      • Logs to Fetch: This field is used to limit the type of logs to be fetched in real-time TTP Attachment Protect data collection. Its default value is All.
    • Enable/Disable TTP Impersonation Protect: It is a toggle button to enable/disable TTP Impersonation Protect data collection.
      • Start Time (In UTC): It is used for making API calls to collect TTP Impersonation Protect data from Mimecast. Its default value is 7 days ago and the maximum value can be set to 60 days ago.
      • Logs to Fetch: This field is used to limit the type of logs to be fetched in real-time TTP Impersonation Protect data collection. Its default value is All.

  1. After entering all the valid data in the pop-up form, when you click on the Save button, the configuration for the Mimecast Account will be stored and the screen will have a success message for the added configuration.

  2. Users can configure up to 5 accountQRadar 1

Mimecast security log data will start to be collected. The data is viewable from the Log Activity tab in the QRadar Admin Console. Quick searches are created when the extension is installed. These can be viewed from the Log Activity tab under the Quick Searches drop-down menu.

Uninstalling the Application

To uninstall the Application, the user needs to perform the following steps.

  1. Go to the Admin Page.
  2. Open Extension Management.
  3. Select Mimecast for QRadar - QRadar v7.5.0 UP4+/7.4.3 FP8+ Application.
  4. Click on Uninstall.

Steps to access the Application Docker container

Users can go inside the Application docker container. In the docker container, the user can see logs and configure some parameters.

 

Perform the below commands on your QRadar instance via SSH:

  1. Run the command - /opt/qradar/support/recon ps
  2. The above command will list all the Applications installed in QRadar, then find the App with the name Mimecast for QRadar and copy its App ID.
  QRadar 2

List of installed extensions

  1. Run the command - docker ps
  2. Find the Container ID of the Mimecast App. (The container ID for the Mimecast App will be under the container ID column for which the Image column containing the previous copied App-ID. E.g.;.....qApp-1123...)
  3. docker exec -it <container_id> bin/bash. (to go inside the docker) Now, you are in the docker container.

Steps to check Application logs

Users can see the Application logs by accessing the Application docker from the QRadar via SSH.

  1. Login to QRadar via SSH and Steps to access the Application Docker container of the Application.
  2. Run the command - cd /opt/App-root/store/log (For navigating to the log directory)
  3. The log file named “App.log” contains the logs of the configuration page.
  4. The log file named “account_<Account Name>_data_collection.log” contains logs regarding the specific configured account data collection process.

Steps to Add SSL/Proxy Certificates in QRadar

Perform the following steps to add SSL Certificates in QRadar:

  1. Put your certificate at path /etc/pki/ca-trust/source/anchors/ on the QRadar console.
  2. Run the following two commands at the SSH command line on the console.
/opt/qradar/support/all_servers.sh -p /etc/pki/ca-trust/source/anchors/<root_certificate> -r /etc/pki/ca-trust/source/anchors

/opt/qradar/support/all_servers.sh -C update-ca-trust

If the App is already installed, restart the docker container using these steps.

For more information, see the IBM documentation.

Steps to Restart the Docker Container

To restart the docker container, follow these steps:

  1. Run command - docker restart <Container-ID>.

The container ID of the App can be obtained by following these steps.

Saved Searches

Users can see the Mimecast events in the Log Activity tab of the QRadar. To change the time range in the saved search, change the time from the View dropdown.

Steps to run a saved search in QRadar:

  1. Go To the Log Activity tab in QRadar.
  2. Click on the Search dropdown and select New Search.
  QRadar 3
  1. Click on the Group dropdown and select Mimecast.
  QRadar 4
  1. Select a search from the list of available Saved Searches and click on Load. To run the search in the Log Activity tab, click on the Search button located at the bottom right corner.
  QRadar 5

Troubleshooting

Case #1 – App configuration fails with various error messages

Problem:

A configuration fails with the error message Failed to validate Mimecast configurations. Invalid Client ID or Client Secret. Below is a screenshot for quick reference:

  QRadar 6

Troubleshooting Steps:

This happens when the user has entered an expired/invalid Client ID or Client Secret. Please verify the credentials. For checking logs Steps to check logs.

Problem:

A configuration fails with the error message Failed to validate Mimecast configurations. Invalid Mimecast Base URL. Check logs for more details. Below is a screenshot for quick reference:

  QRadar 7

Troubleshooting Steps:

This happens when the user has entered an invalid Mimecast Base URL. Please verify the credentials. For checking logs see Steps to check logs.

Case #2 – UI related issues in the App

Problem:

Configuration page shows error or unintended behavior.

Troubleshooting Steps:

Please follow the below steps:

  1. Clear the browser cache and reload the webpage.
  2. If the issue is not resolved, please contact support by following the troubleshooting steps given in Case #6.

Case #3 – Mimecast events are parsed as Unknown or Mimecast Mail Service Message

Problem:

Mimecast events are parsed as Unknown or Mimecst Mail Service Message.

Troubleshooting Steps:

  1. Go to the Log Source Extensions tab under the Admin section.
  2. Confirm that Default for Log Source Types is Mimecast Mail Service. If it is not Mimecast Mail Service then perform the below steps.
  QRadar 8
  1. Click on MimecastMailServiceCustom_ext which will download an XML file.
  2. Log in to the QRadar console view SSH and execute the following command:
/opt/qradar/bin/contentManagement.pl -a search -c 24 -r .*Mimecast
  1. Copy the ID corresponding to Mimecast for QRadar. If the ID copied is 4002, then in the XML file, change device-type-id-override="4001" to device-type-id-override="4002".
  2. Select the row with the Extension Name MimecastMailServiceCustom_ext and click on the Edit button.
  3. Click on Choose File and select the modified XML file and Upload. Select the default Log Source Type as Mimecast Mail Service.
  4. Click on Save.
  5. After clicking on Save, confirm that the value of device-type-id-override is correct for all the extensions. Refer to the screenshot below:
  QRadar 9

Case #4 – Error while initiating socket connection with IBM QRadar

Problem:

“Error while initiating socket connection with IBM QRadar” observed in Log Files.

Troubleshooting Steps:

While using QRadar v7.5.0 UP4+ with an encrypted App host, there is no way to create a TCP socket connection between Apphost and QRadar console. Refer to the IBM support page for possible workaround.

This issue is fixed in QRadar version 7.5.0 UP9.

If the issue is not resolved, please contact support by following the troubleshooting steps given in Case#6.

Case #5 – Wrong Console IP is populated in the Event Collector IP/Hostname field

Problem:

The wrong Console IP is populated in the Event Collector IP/Hostname field on the Configuration page.

Troubleshooting Steps:

Refer to the IBM support page for possible workaround.

If the issue is not resolved, please contact support by following the troubleshooting steps given in Case#6.

Case #6 – All other issues which are not a part of the Document

Problem:

If the problem is not listed in the document, please follow the below steps.

Troubleshooting Steps:

Please follow the below steps to generate log files QRadar on-prem:

  1. Click on System and License Management in the Admin Panel.
  2. Select the host on which the tab Mimecast for QRadar - QRadar v7.5.0 UP4+/7.4.3 FP8+ is installed.
  3. Click on Actions in the top panel and select the option Collect Log Files.
  4. A pop-up named Log File Collection will open.
  5. Click on Advance Options.
  6. Select the checkbox to Include Debug Logs, Application Extension Logs, and Setup Logs (Current Version).
  7. Click on the Collect Log Files button after selecting the number of days from where an issue occurred as a data input while collecting log files.
  8. Click on Click here to download files.
  9. This will download all the log files in a single zip on your local machine.
  10. Please reach out to support, or email your Mimecast Customer Success Manager and attach this log file.

Please follow the below steps to generate log files QRoC:

  1. Open the Admin settings, and click QRadar on Cloud Self Serve.
  2. Click Log Bundles.
  3. To request a new log bundle, complete the following steps:
    •  In the Log Bundles section, click Request New Log Bundle.
    • Select the Include App Logs checkbox to include Application extension logs in the log bundle.
    • Click Submit.
  1. This will download all the log files in a single zip on your local machine.
  2. Please reach out to support, or email your Mimecast Customer Success Manager and attach this log file.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.